—
PYSEC-2026-2046
Werkzeug safe_join() allows Windows special device names
Details
Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-66221 [ADVISORY]
- https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 [WEB]
- https://github.com/pallets/werkzeug [PACKAGE]
- https://github.com/pallets/werkzeug/releases/tag/3.1.4 [WEB]
- https://pypi.org/project/werkzeug [PACKAGE]
- https://github.com/advisories/GHSA-hgf8-39gv-g3f2 [ADVISORY]